Hello, I'm trying to test my mail server with https://havedane.net but it will send mails to the subdomain with invalid DANE entry. Reason seems, that my local unbound (1.9.0) installation gives NXDOMAIN when looking up _25._tcp.wrong.havedane.net:
; <<>> DiG 9.10.3-P4-Debian <<>> _25._tcp.wrong.havedane.net TLSA ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29911 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_25._tcp.wrong.havedane.net. IN TLSA ;; AUTHORITY SECTION: havedane.net. 103 IN SOA ns091.auroradns.eu. admin.auroradns.eu. 2019011601 86400 7200 604800 300 Unbound log: Jun 11 20:53:27 unbound[8830:0] info: reply from <havedane.net.> 185.103.243.231#53 Jun 11 20:53:27 unbound[8830:0] info: query response was NXDOMAIN ANSWER Jun 11 20:53:27 unbound[8830:0] info: 127.0.0.1 _25._tcp.wrong.havedane.net. A IN NXDOMAIN 0.451754 0 116 But this TLSA RR exists and it's found when using any other NS like here (or with @46.182.19.48 or @9.9.9.9 or whatever): ; <<>> DiG 9.10.3-P4-Debian <<>> _25._tcp.wrong.havedane.net TLSA @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22860 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;_25._tcp.wrong.havedane.net. IN TLSA ;; ANSWER SECTION: _25._tcp.wrong.havedane.net. 3599 IN TLSA 2 1 1 27B694B51D1FEF8885372ACFB39193759722B736B0426864DC1C79D0 651FEF72 _25._tcp.wrong.havedane.net. 3599 IN TLSA 3 1 1 553ACF88F9EE18CCAAE635CA540F32CB84ACA77C47916682BCB542D5 1DAA871E I don't know what to look for in my installation or configuration. What results do you get when running that request? Bye, Nevel
